IP Forwarding and Routing Protocols Part 2

IP Forwarding on a shoestring Part 2

How does a router actually forward ( routing protocols  ) IP Datagrams?

A router receives a packet on one of its interfaces and then forwards the packet out another of its interfaces based on the contents founds in the IP header.  If the packet was part of a video stream ( Multicast / multi destination) it would be forwarded out more than one interfaces and if the packet was part of a normal banking transaction ( Unicast ) it will be forwarded out one of its interfaces.  As the packet is forwarded by each routing device in a hop by hop fashion, the packet’s IP header remains relatively unchanged, containing the complete set of instructions on how to forward the packet. However the data link headers ( the layer directly below ) may change radically at each hop in order to match the changing media types.

For example, the router receives a packet on one of its attached Ethernet Segments.  The routers will first look at the packets data-link header, which in this case is Ethernet.  If the Ether type is set to  (0x800 ), indicating an IP packet ( A unicast MPLS packet has an ethertype value of 0x8847 ),  the Ethernet header is stripped from the packet, and the IP header is examined.

The router then verifies the contents of the IP header by checking a number of fields to validate it.  In addition, the router should check that the entire packet has been received, by checking the IP length against the size of the received Ethernet packet. If any of these basic checks fail, the packet is deemed malformed and discarded.  Next the router verifies the TTL  field in the IP header and determines that it is greater than 1.  The Time-To-Live field ( TTL ) specifies how long the packet should live, which is counted in terms of the number of routers the packet ( technically a datagram )  has traversed  ( hop count ).  The initial TTL value is selected by the source host , and it is recommended to use 64. In certain scenarios other values are set to limit the time, in hops, that the packet should live. The purpose of the TTL is to makes sure the packet does not circulate forever when there are routing loops. Each router in the path decrements the TTL field by 1 when it forwards the packet out its interface (s) and when the TTL field is decremented to 0, the packet is discarded and a message known as an ICMP ( Internet Control Message Protocol ) TTL Exceeded is sent back to the host.

The router then looks at the destination IP address which can be either a destination host ( Unicast ) or a group of destination hosts ( multicast ) or all hosts on the segment ( broadcast ).  As mentioned previously the router has what is known as a routing table which tells it how to forward a packet and the destination IP address is a key component for the routing table lookup.  Forwarding is done on a destination base, if I want to get to destination X, I have to go to Y ( the concept of source routing is not in scope of this article  ).  The contents of the routers routing table is parsed and the best-matching routing table entry is returned, indicating whether to forward the packet and, if so, the interface to forward the packet out of and the IP address of the next IP router ( if any ) in the packets path.  On a Cisco device the actual moving of the packet from the inbound interface to the outbound interface is carried out by a process known as CEF ( Cisco Express Forwarding ).   CEF which is a mirror image of the routing table and any changes in the routing table is reflected in the CEF table. It has a different structure that the routing table which allows for very fast lookups.  If you want to parse the routing table you have to start at the top and work your way down, this can be time-consuming and resource intensive especially if your match is the last entry in the routing table.  CEF structures let you search on the bit boundary and together with the adjacency table optimizes the routing process.

If a router receives a unicast packet that is too large to be sent out in one piece as its length is greater than the outgoing interface’s Maximum Transmission Unit ( MTU ) , the router attempts to split the packet into a number of smaller pieces, called fragments.  The slicing of packets into smaller packets affects performance adversely and should be avoided.  One way to avoid fragmentation is to have the same MTU on all links and have the hosts send a packet with an MTU within this range.  This may not be possible due to the variety of mediums and administrative domains a packet may take on its path from source to destination.  Path MTU discovery ( PMTUD ) is the mechanism used to determine the maximum size of the MTU in the path between two end nodes ( source and destination ).  PMTUD dynamically figures out the lowest MTU of any link on the path between the end nodes. A host sends an initial packet ( datagram ) with the size of an MTU for that interface with the DF ( don’t fragment ) bit set.  Any router in the path with a lower MTU discards the packet and returns an ICMP ( type 4 – fragmentation needed and DF set) back to the source.  This message is also known as a “packet too big” message.  The sender estimates a new size for the packet, and the process takes place until the PMTU is found.

The basics of IP forwarding can be modified in a number of ways, resulting in data packets taking different paths through the network. In previous examples we discussed routers consulting their routing tables to determine the next hop and single exit interface to send a packet to its destination – “destination based forwarding “.  However a router may have multiple paths ( exit interface ) to reach a destination.  These paths can then be used to spread out traffic to a destination prefix across alternative links, called multipath routing or load balancing resulting in more bandwidth available for traffic to that destination.  In a layer 3 environment links with the same cost are considered for equal cost multi pathing and can load balance traffic across those links.  You can however have unequal cost links ( links with different costs ) used for multi pathing but this needs to be supported in the routing protocol e.g. EIGRP.   However the method used equal or unequal cost multi pathing when there are multiple paths to a destination prefix, the routers routing table lookup will return multiple next hops.

Generally , routers want to guarantee that packets belonging to a given TCP connection always travel over the same path because reordering of the TCP packets would reduce TCP performance and increase CPU cycles if carried out in software.  For this reason, routers use a hash function of some of the TCP connection identifiers ( source and destination IP address ) to choose among  the multiple next hops.  A TCP connection is identified by 5-tuple which refers to a set of five different values that comprise a TCP/IP connection.  It includes a source IP address/port range, destination IP address/port number and the protocol in use.  A router can load on any of these.  Recent availing technologies let you L2 load balance ( ECMP ) such as THRILL and Cisco’s Fabric path allowing you to build massive data centers with L2 multi pathing.

An application can also modify the handling of its packets by extending the IP headers with one or more IP options.  IP options are generally used to aid in statistic collection ( route-record and time stamp )and not to influence path determination as they do offer a performance hit and the internet routers are already optimized for packet forwarding without any additional options.  Options such as strict-source route and loose-source route which can be used to control the path packets take are generally blocked by security devices or filters implemented on routers.  The router then prepend the appropriate data-link header for its outgoing interface.  The ARP process then resolves the next hop IP to data link address ( MAC address ) and the router sends the packet to the next hop, where the process is repeated.

Note: Ethernet frames have a L2 identifier known as a MAC address which have 6 bytes for destination address and 6 bytes for source address.

The ARP process is very simple and it basically translates IP address ( L3 ) into the associated MAC addresses ( L2 ).  Consider the communication between two hosts on an Ethernet Segment – host 1 has IP address 10.10.10.1 and host 2 has IP address 10.10.10.2.  For these hosts to communicate , they need to build frames at L2 with source and destination hardware MAC addresses.  Host 1 opens up a web browser and try to connect to a service on host 2 which has a destination of 10.10.10.2. Host 1 uses ARP to map the IP address to the MAC address of the destination host.

a) Host 1 sends a broadcast ARP request on the Ethernet LAN segment which contains the IP address of the destination host ( 10.10.10.2 ).

b) As these message is a broadcast, all the hosts on the segment receive the ARP broadcast request and examine the IP field of the request.

c) Hosts 2 identifies its own IP in the request and sends an ARP response with the information about its MAC address. The ARP response is a unicast (single network destination identified by a unique address ) to the host that generated the request.

d) The hosts will now cache the results of the information from the ARP requests and responses into a cache table known as the ARP table.

The ARP tables optimizes communications between directly connected devices.  Upon receiving an ARP response, devices keep the IP-to-MAC address mapping for some time, usually up to 4 hours.  This means a router does not need to send an ARP request for any IP address it has previously learned.  ARP tables may also be updated by what is known as a gratuitous ARP. A gratuitous ARP is a ARP request that a host sends to itself with the purpose of updating its neighbors ARP tables.  An example of this would be when a VM is moved from one ESX host to another and in order for the other devices to know that it has moved, it sends a gratuitous ARP.  This process updates the router’s ARP table.  Due to ARP’s simplistic approach in operation Layer 2 attacks can exploit its vulnerability.  One of the main security drawbacks of ARP is that it does not provide any control that proves that a particular MAC address truly corresponds to a given IP address.  An attacker can exploit this by sending a forged ARP reply with its MAC address and IP address of a default gateway. When victims update their ARP table with this new entry, they start to send packets to the attackers host instead of the intended gateway.  The attacker can then monitor all traffic destined to the default gateway. This is known as ARP spoofing.

About Matt Conran

Matt Conran has created 176 entries.